Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Sep 2014 08:01:46 -0700
From:      Freddie Cash <fjwcash@gmail.com>
To:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   IPFW rule sets and automatic rule numbering
Message-ID:  <CAOjFWZ4rx4FAc4AoPw3d=cSg4-z_QOWEF=phkT2PuzfUjn0y5A@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
Good morning everyone,

Just wondering if I'm doing things wrong, or if those two features (rule
sets and auto incrementing rule numbers) just don't play well together.

Until now, I've used the auto-incrementing feature to minimize the amount
of work I need to do when changing/updating/adding rules in the middle of
my scripts.  This has been working great, and is controlled via
the net.inet.ip.fw.autoinc_step sysctl.

Recently I was playing with the rule sets feature and using "ipfw set swap"
to speed up my firewall rules reloading times.  Previously, I'd clear the
rules, then load the new rules, but that could leave up to 30 seconds of
downtime.  With the use of sets, that's under 1 sec.

Everything works well on the first run.  Everything is loaded correctly
into set 1, then swapped into set 0 and made live.  All rules are numbered
correctly.

On the second run, all the rules are loaded into set 1 using rule numbers
65524-65534, and then swapped into set 0.

On the third (and all subsequent run), all rules are loaded into set 1 with
rule number 65534, and then swapping into set 1.

It seems the rule numbers are global across all sets?  Meaning, the "last
used automatic number" is global across all sets?

I was expecting the rule numbers to be unique per set.  I do the following
to clear out rule set 1 before adding rules:

ipfw -f set 1 flush
ipfw set disable 1

Then load all my rules into set 1 using the following syntax:

ipfw add set 1 allow tcp from 1.2.3.4 to 2.3.4.4 in recv igb0
....
....
....

Then swap the rules at the end using:

ipfw set swap 1 0

Is there anything I could be doing differently to get the numbering to work
the way I expect it to?  Or am I going to have to manually number every
rule in my scripts?


-- 
Freddie Cash
fjwcash@gmail.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOjFWZ4rx4FAc4AoPw3d=cSg4-z_QOWEF=phkT2PuzfUjn0y5A>